Commit 778a5c90 authored by conrad's avatar conrad

Apply patch by Jim Blandy from Mozilla bug 480521

Avoid overflow in comment lengths

git-svn-id: http://svn.annodex.net/liboggz/trunk@3882 8158c8cd-e7e1-0310-9fa4-c5954c97daef
parent a08faa5f
......@@ -537,9 +537,10 @@ oggz_comments_decode (OGGZ * oggz, long serialno,
end = c+length;
len=readint(c, 0);
if (len<0) return -1;
c+=4;
if (c+len>end) return -1;
if (len>end-c) return -1;
stream = oggz_get_stream (oggz, serialno);
if (stream == NULL) return OGGZ_ERR_BAD_SERIALNO;
......@@ -556,15 +557,18 @@ oggz_comments_decode (OGGZ * oggz, long serialno,
if (c+4>end) return -1;
/* This value gets checked effectively by the 'for' condition
and the checks within the loop for c running off the end. */
nb_fields=readint(c, 0);
c+=4;
for (i=0;i<nb_fields;i++) {
if (c+4>end) return -1;
len=readint(c, 0);
if (len<0) return -1;
c+=4;
if (c+len>end) return -1;
if (len>end-c) return -1;
name = c;
value = oggz_index_len (c, '=', len);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment